The U.S. military lacks full authority to defend the nation from a major cyber-attack aimed at crippling vital computer networks in the civilian sector, the general in charge of the new U.S. Cyber Command told lawmakers Thursday.
“Right now, the White House is leading a discussion on what are the authorities needed and how do we do this,” Gen. Keith Alexander, who is also National Security Agency director, told the House Armed Services Committee. “What are the authorities … we have legally, and then given that, what do we have to come back to Congress and reshape or mold.”
Experts say that questions of legal authority in the unique environment of cyberspace — where the networks critical to government and even military operations are owned and operated by the private sector — are a problem for U.S. cybersecurity efforts across the government.
Gen. Alexander said the administration is still grappling, as its predecessors had, with the exact role military, civilian and private sector entities would play in cybersecurity.
“How do we develop the team between Department of Homeland Security, FBI, Cyber Command and others to work as a team to defend the nation in cyberspace?” he said.
Asked directly by Rep. Jim Langevin, Rhode Island Democrat, whether he could today defend the United States against a major cyber-attack, Gen. Alexander replied that was not really his job.
“It is not my mission to defend today the entire nation. Our mission at Cyber Command is to defend the Defense Department networks,” he said.
He added, that if the command was tasked to defend civilian networks, “then we’d have to put in place the capabilities to do that. But, today, we could not.”
The Department of Homeland Security (DHS) has the lead in defending civilian government computer networks. The DHS is also in charge of coordinating with the private sector to defend commercial networks, that support vital industries like banking, power and transport.
In the event of a major cyber-attack against the electrical power grid, for instance, Gen. Alexander said that “right now, the defense of that would rely heavily on commercial industry to protect it.”
Although the military has authorities to assist civilian agencies in crisis situations, continuing ambiguity and uncertainty about exactly how the different elements of government would work together in the event of a large-scale, sophisticated cyber-attack — where network outages could cascade into a major disaster within minutes — troubles many observers.
“Despite the great work of Gen. Alexander and his staff, significant gaps remain in our ability to respond to a major cyber-event, where every second counts,” Mr. Langevin told The Washington Times.
“We must strategically plan across government to make sure all agencies and departments know their roles and what they are authorized to do in a large scale event,” he said.
Next week, DHS will stage just such a planning exercise, simulating a major cyber-incident in the United States. U.S. Cyber Command, which was created last year and plans to become fully operational next month, would take part, Gen. Alexander said.
But its participation also highlights some of the issues dogging U.S. policy, for example about when and how a cyber-incident is determined to be an act of war, triggering additional authorities for the military.
“That doesn’t mean that we’re not going to have issues about how much do we play … in that cyber-exercise, Defense Department issues versus Homeland Security issues,” he said. “And that’s probably where you’ll see more friction. So how much of each do you play? How radical do you make the exercise?”
Committee Chairman Rep. Ike Skelton, Missouri Democrat, suggested he favors a larger role for the military in a national cyberdefense plan.
The Department of Defense “has traditionally led the way in protecting information systems, so it is natural for CyberCom to play a role beyond just protecting military networks,” he said, adding, “What that role should be, however, needs careful analysis.”
• Shaun Waterman can be reached at 123@example.com.
Please read our comment policy before commenting.